Comodo continues to issue certificates to known Malware

[Guest]

[ssj100]

http://www.wilderssecurity.com/showthread.php?t=242453

Looks like Comodo's popularity is going to go down even further!

What does Melih have to say about this I wonder?

[Melih]

That's an ssl certificate (not a code signing cert).

Now let me explain the SSL Certificate market....

Until Geotrust came into picture in 2001 all SSL certificates were issued after validating the applicant to make sure they were a legitimate company (just that it existed as a legal entity etc so that the end user had a recourse).

Geotrust "innovated" their way into SSL market by removing this validation process and called it "Domain Validation".. which means the applicant has money and has a domain. And yes you guessed it, this means bugger all in terms of validation!

This allowed Geotrust to issue certificates very quickly to their customers. Of course this caused the end users to falsely trust sites too. One of the reasons why I initiated the CABForum was that this DV certs were eroding user trust in ecommerce by creating false sense of security.

Today, the biggest issuers of DV certs are Verisign and Godaddy. They have continued issuing DV certs which caused likes of Comodo to offer it as well. If we didn't we would lose customer and the world would have no chance of fight back. We only issue a very small amount of DV certs compared to Verisign and Godaddy.

As far as I am concerned DV certs SHOULD NOT EXIST! Encrypting data for a recipient you have not verified is stupid at best!

Some people claim that DV certs has a place for just encryption for a site that has a pre-established trust, but that only happens if the user types https://www.......  and goes to site... if the user types http://www... and then clicks on a link, then there is no trust as you can't trust this site in the first place cos its not validated (its just http).

So the problems that DV certs have caused has ranged from phishing sites to be secured with SSL to malware sites having a DV cert!

Perhaps it will take end users to start demanding the removal of DV certs from the market place! Cos likes of Verisign and Godaddy are against removing DV certs all together. (Verisign bought Geotrust for $120M two years ago).

Is this the first.. NO
will this be the last... NO

Its time to demand NO MORE DV CERTS!!!!!!!!

End users must start show that they care about their security and demand from their OS providers, Browser providers, Standards organisations that they want proper validation for SSL certs and Domain Validation should be banned!

Thanks

Melih

[ssj100]

Thanks for the reply Melih.  Maybe you could post on the Wilders thread too.  I don't really care too much, but you guys have a reputation to protect...

[3xist]

SSj100. I'll take care of it.

Cheers,
Josh

[Melih]

SSj100. I'll take care of it.

Cheers,
Josh

Thanks Josh

Melih

[Melih]

Some people asked me: Is it a good enough reason for Comodo to issue DV certs just because Verisign and Godaddy are issuing it?

Very good question and here is my answer.

Comodo cares for their security, so when somoene gets a DV cert from Comodo, we do try to explain to them it is important that they get a higher validation certificate like OV (Organisation Validation) or EV (Extended Validation). This way at lease we can convert some of the people who whould have bought DV into a validated customers. Its better than letting them just go and get a DV cert from other companies who do NOT explain the benefits of Validation and the problems of DV certs to their customers.

So when people buy a DV cert from Comodo, at least we get a chance to explain to them about the problems of DV, this is why Comodo has only a limited amount of DV certs in issuance compared to biggest issuers of DV certs Verisign and Godaddy.

Melih

[Melih]

Another important point is:

thru www.ccssforum.org we are trying to setup a good communication channels so that anyone who has found a malicious activity behind any certificate can report it the CAs immediately.

We encourage reporting of these and we will recommend that ccssforum.org has a public form where these can be reported. This way ccssforum.org can disseminate these reports to relevant CAs.

thanks

Melih

[Creasy]

http://www.wilderssecurity.com/showthread.php?t=242453

Looks like Comodo's popularity is going to go down even further!

What does Melih have to say about this I wonder?

Some people who don't understand SSL market in the world usually say that.
Do governments need to provide Certs?
It's better.
But No way...

SSL Cert has some security holes?
Yes.
(I can show you how does it work if you want in the real world)

But if some people understand about SSL market as Melih said, they will not say that again.

There will be new algolithms and cert in the future but not yet.
Every year, there are few conferences about encryptions, securities in the world.
(I went a conference about security and algolithm last year. there were
many people from all over the world).
Many the publications of the results of researcher's research works,
presenting researcher's reports are rolled out.
why it's not going to the real markets?
It's not proved yet in the real world.

Most important thing is users need to have some knowledge about security first
instead of too much rely on security companies.
We are not living in the Precambrian Eon.

[Creasy]

Another important point is:

thru www.ccssforum.org we are trying to setup a good communication channels so that anyone who has found a malicious activity behind any certificate can report it the CAs immediately.

We encourage reporting of these and we will recommend that ccssforum.org has a public form where these can be reported. This way ccssforum.org can disseminate these reports to relevant CAs.

thanks

Melih

What is this?
Melih....

questions[at]commoncomputingsecuritystandards.com

Creasy

[Melih]

Its a new organisation about setting Standards for the Desktop Security products.

I mean even a $5 padlock you buy from hardware store has complied with some standards, yet the AV or Firewall you buy to protect your precious online identity, online banking etc has literally no standards they have to comply with!

So this organisation aims to introduce standards for the desktop security world and improve communication in the industry and provide a single voice and single point of contact.

Melih

[Melih]

BTW

I passed the details of this dv cert in question to our validation dept for them to investigate.

Melih

[commanding the celsius]

Melih Ive seen a lot of junk like this lately. Comodo's wikipedia page was changed in a unfavourable manner (pure junk really), So I changed most back..

Wilders allways posts junk about comodo and especially CIS, then this callendar of updates seems to have personal issues or she/he don't really understand certificates (tragic since he/she claims to be an expert). Softpedia was an other case of a company trying to push junk about comodo and spreading "hate". Comodo needs to fight those rumor spreaders, especially since most is pure junk..

Maby have someone who talks good post in those forums that always attacks comodo and answer in a "nice" fashion or technical if thats what's needed. Many companies has a dev or similar posting at wilders.

I don't think sitting silent is the way to go. Comodo needs to tackle this sorts of stuff.

Since the bigger market share CIS gets the more desperate the other's will get..

I really believe people have started to realise that CIS is actually not that annoying and offers better protection than the paid alternatives.. But at the same time we have those who are doing EVERYTHING to make people pick the "alternatives".. Especially now when their major argument against CIS has failed, "Its too chatty". You guys have made a good job preventing CIS chattiness.. =)

[Data]

If we didn't we would lose customer and the world would have no chance of fight back. We only issue a very small amount of DV certs compared to Verisign and Godaddy.

As far as I am concerned DV certs SHOULD NOT EXIST! Encrypting data for a recipient you have not verified is stupid at best!

Sounds like a conflict of interests.

Most important thing is users need to have some knowledge about security first
instead of too much rely on security companies.

In the first instance, the average user has no option but to rely on security companies.
In the second, security companies rely on end users to stay in business. So the less savvy the user, the better, correct?

[commanding the celsius]

Sounds like a conflict of interests.
In the first instance, the average user has no option but to rely on security companies.
In the second, security companies rely on end users to stay in business. So the less savvy the user, the better, correct?

Since comodo is not alone in this why do they get all the garbage?? I guess you are "Data" from COF? Do you think its fair to bash just comodo?

Looks like this donna is having personal issues.. Seriously.

[Data]

Not hard to deduce, but yes, I am same person from COU. look around there and you will see I don't "bash" anybody. I tell it as I see it. Whoever It may be.

No it's not personal. It's a case of being let down by one you have supported. In that instance, people have the right to say their piece.

COU is performing a great service. Comodo is providing a great service, but it has to be made clear. Comodo are tarnishing that reputation.

Nobody likes to see products of this quality get bad feedback, but it is warranted.

[Tags:]